question

Spellboundvfx-6478 avatar image
0 Votes"
Spellboundvfx-6478 asked GaryNebbett answered

6281 Event failure

In our network, we are receiving constant event failures in this category. Can somebody explain what may be the reason?



Event 6281 occurred at 02-04-2021 10:07:16.


Date Time: 02-04-2021 10:07:16
Event Source: Microsoft-Windows-Security-Auditing
Event Category: 12290
Event Type: Information
Event ID: 6281
Event Log Name: HardwareEvents
User: N/A
Computer: xxxxxx
Description:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\aepic.dll
Event Parameters:
\Device\HarddiskVolume3\Windows\System32\aepic.dll
%String2%
%String3%


Report generated on: xxxxxxx

windows-10-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you facing any other error (other than the log file)?
Open start and search for Command prompt and run as administrator and then type the following command:

sfc /scannow

And press enter and let it runs.
You may report this issue through the Feedback Hub app.



0 Votes 0 ·
SSengupta-4080 avatar image
0 Votes"
SSengupta-4080 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
0 Votes"
GaryNebbett answered

Hello @Spellboundvfx-6478,

You mention "event failures in this category" - does this imply that the file name in the events that you have seen differ?

If the file name is always aepic.dll or a small set of file names, it might be worth investigating what is wrong with the file(s) and how the damage may have happened. The SDK tool "signtool" can be used to examine the problem in more detail (e.g. signtool verify /a /v /ph /debug \Windows\System32\aepic.dll). If you can make the file available here (via a OneDrive, Google Drive, etc. link) then we can check it and try to determine if a targeted modification has been applied to the file.

If the filenames vary wildly, then the problem is more likely to be related to checking the certificate chains used in signing/timestamping.

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.